As great a feature as this import html is, I do worry a great deal about the security risk. Obviously people can technically do the same thing with inspect element, but it's a lot more involved than providing a button for it, and personally I do not want to set my pages to log-in only or add a content warning when theres nothing to warn for.
So, since TH does not have an API that I'm aware of, I think the easiest way to ensure people are only importing their own codes or codes they have permission to import, is for people to add a key to their profile that signals to circlejourney that it's okay to import. E.g.:
<div class="circlejourney" style="display:none;"></div>
So as long as it finds an element with the class circlejourney, then it can import.
That makes this an opt-in process rather than an opt-out one that also changes how TH functions